Time acl not working

Time acl not working

Hello all, time acl is not working for dynamic HTTPS pages such as social networks.

I set it to release any content during lunch time. In this period everything works, but when the interval expires, the already open network media pages continue to receive updates and are not blocked as expected. On the other hand HTTP pages and some static HTTPS do not occur this problem.

The issue was verified in both squid3 and squidguard 1.5 in explicit mode and in sites such as Facebook, Twitter and Instagram.

The problem is very simple to simulate. The only workaround found is to restart the squid.

Re: Time acl not working

On Wednesday 07 February 2018 at 12:12:47, Danilo V wrote:

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
>
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
>
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
>
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
>
> Can someone help me?

> Hello all, time acl is not working for dynamic HTTPS pages such as social
> networks.
>
> I set it to release any content during lunch time. In this period
> everything works, but when the interval expires, the already open network
> media pages continue to receive updates and are not blocked as expected. On
> the other hand HTTP pages and some static HTTPS do not occur this problem.
>
> The issue was verified in both squid3 and squidguard 1.5 in explicit mode
> and in sites such as Facebook, Twitter and Instagram.
>
> The problem is very simple to simulate. The only workaround found is to
> restart the squid.
>
> Can someone help me?

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.

So what https_port and/or SSL-Bump settings do you use to actually
access the HTTPS requests?

Without either explicit TLS or SSL-Bump there is only an initial CONNECT
tunnel setup. The time ACLs are applied at that point and HTTP ends once
the tunnel starts. No ACLs or other checking is possible on the TCP
connection.

Re: Time acl not working

Administrator

On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.

On 08/02/18 02:50, Danilo V wrote:
> I'm not using SSL intercept configuration. Now i see is required, even
> for explicit mode.

Only because you want *Squid* to be the process controlling HTTPS
things. If you did the controls at the network traffic level (eg
iptables, pf) instead then you would not have to worry about these type
of differences.